1.查看Firewalls的運行狀態 systemctl status firewall
2.開啟Firewall防火牆 systemctl start firewalld
3.配置防火牆的規則,只需要配置zone為public的規則,
(1),添加可訪問的連接埠, permanent參數意味重啟後永久生效,如果不加這個參數,重啟後不會生效
firewall-cmd --zone=public --add-port=80/tcp --permanent
(2),設定固定IP,訪問MySQL服務
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=111.111.111.111 port port=3306 protocol=tcp accept'
(3),設定ssh服務,阿里雲伺服器的centOS7 預設開啟了ssh這個服務,所以所有的IP都可以訪問,如果需要設定固定IP訪問,
可以在上面的命令基礎上添加一條規則
firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=111.111.111.111 port port=3306 protocol=tcp accept' --add-rich-rule 'rule family=ipv4 source address=111.111.111.111 port port=22 protocol=tcp accept'
在/etc/firewalld/zone/public.xml 檔案中查看,<service name="ssh"/> 需要吧這句注釋掉,rule下面配置的連接埠才會生效,否則,還是所有的IP都可以通過ssh登入。
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<!-- <service name="ssh"/> -->
<port protocol="tcp" port="80"/>
<rule family="ipv4">
<source address="111.111.111.111"/>
<port protocol="tcp" port="3306"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="111.111.111.112"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="111.111.111.111"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="111.111.111.111"/>
<port protocol="tcp" port="3306"/>
<accept/>
</rule>
</zone> (4)也可以直接修改上面的設定檔,完成配置後,重啟防火牆
systemctl restart firewalld